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(54) Personal identif ication FOB 

(57) Apparatus, and a method for its use, for auto- 
matically verifying fhe identity of a person seeWng 
access to a protected property, such as a car, room, 
building or automatic teller machine. The apparatus, 
which is disclosed in the farm of a handheld fob (14). 
includes a sensor (16) for reading biometric data, such 
as a fingerprint image, from the person (12). and a cor- 
relator (28) for comparing fhe sensed data with a previ- 
ously stored reference image (32) and for determining 
whether there is a match. If there Is a match, the fob 
(14) Initiates an exchange of signals with the "door (10) 
that protects the property. Specifically, the fob (14) gen- 
erates a numerical value, such as a cyclic redundancy 
code, from the stored reference image (32), encrypts 
the numerical value, and transmits H to the door (10) ad 
confirmation of the person's identity For further security, 
the person (12) registers this numerical value at each 
door (10) to which access is desired Upon receipt of 
identity confirmation from the fob (14), the door (10) 
compares the received numerical value with the one 
stored during registration, before granting access. 
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Description 

BACKGROUND OF THE INVENTION 

[0001] The present invention relates generally to per- s 
sonal identification or verification systems and. more 
particularly, to systems that automatically verify a per- 
son's identity before granting access to something of 
value. Traditionally, keys and locks, or combination 
locks, have been used to limit access to property, on the 1 o 
theory that only persons with a right to access the prop- 
erty wilt have the required key or combination. This tra- 
ditional approach is, of course, still widely used to limit 
access to a variety of enclosed spaces, including 
rooms, buildings, automobiles and safe deposit boxes in is 
banks. In recent yea*, mechanical locks have been 
supplanted by electronic ones actuated by encoded 
plastic cards, as used,. for example, for access to hotel 
room doors, or to bank automatic teller machines 
(ATMs) . In the latter case, the user of the plastic card as so 
a "key" to a bank account must also supply a personal 
identification number (PIN) before access is granted. 
[0002] Many automobiles are protected both by locks 
and by intrusion alarms, which are typically activated 
and deactivated using a small radio or infrared transmit- 25 
ter carri ed by the car owner as a key-chain fob. Although 
this type of device is convenient its loss by the owner 
may render the vehicle just as vulnerable to theft as K 
mechanical keys had been used lor protection. 
[00031 Today, a person still needs to carry a variety of so 
keys for access to home, workplace and car, and an 
ever expanding stack of plastic cards for access to 
financial assets, such as bank accounts and store 
charge accounts. Today's busy person must memorize 
several passwords and PINs for use in conjunction with ss 
the plastic cards, and for use to access computer soft- 
ware that may or may not require an access card as 
well. Moreover, afl of the foregoing devices tor limiting 
access are subject to theft, duplication and misuse. 
Assets protected by mechanical keys are the most vul- ao 
nerable, of course, but assets protected by combina- 
tions, passwords and PINs are also subject to illegal 
entry by unauthorized users who have stolen, deduced 
or guessed the appropriate combination, password or 
PIN. 45 
10004] Accordingly, there is a widely felt need tor a 
more reliable technique for limiting access to personal 
property and other valuable assets. Ideally, the tech- 
nique should positively verify the identity of the person 
seeking access, and should eliminate the need to carry go 
muHfcle keys and scannable cards, and the need to 
memorize combinations, passwords and PINs. The 
present invention satisfies this need. 

SUMMARY OF THE INVENTION 53 

[0005] The present invention resides in apparatus, 
and a method for its use, for automatically verifying the 



identity of a person seeking access to a protected prop- 
erty. The protected properly may take a variety of forms, 
such as a building, a room, an automobile or a financial 
account For purposes ol explanation, access to the 
protected property is said to be obtained through a 
"door." In marry cases, if the property is an autornobile. 
a room or a building, for example, it will in fact have a 
physical door through which access is obtained. Other 
types of protected property win not have a physical entry 
door, but may still be considered to have a "door for 
purposes of the present invention. In accordance with 
an important aspect of the invention, a person may 
securely access a door that rs located right next to the 
user or one that is thousands of miles away. 
[0006] Briefly, and in general terms, the apparatus of 
the present Invention comprises a sensor, for reading 
biometric data identifying a person seeking access to a 
protected property: storage means, tor storing refer- 
ence biometric data identifying a person authorized to 
have access to the protected property; a correlator, for 
comparing the stored reference biometric data with the 
biometric data of the person seeking access and deter- 
mining whether they match; and means for securely 
comrnurvcafing identity conf irmation to a door that pro- 
vides access to the protected property upon receipt of 
the identity confirmation. The apparatus may lurther 
comprise a user interface having a first switch to initiate 
operation of the apparatus in a verfficartion mode, and a 
second switch, actuation of which places the apparatus 
in an enroll mode of operation, wherein biometric data 
from the sensor are stored in the storage means for 
subsequent retrieval in me verification mode of opera- 
tion. 

[0007] In the disclosed errtHxflrnerrte of the invention, 
the sensor, the storage means and the correlator are all 
contained in a portable device, which may be a fob car- 
ried by the person, or some other type of communica- 
tion device remote from the protected property in the 
disclosed embodiments, the means for securely com- 
municating identity confirmation includes means for 
generating a numerical value from the stored reference 
biometric data; encryption logic, for encrypting the 
numerical value; and a cornmuntaation interface for 
sending the encrypted numerical value to the door, 
together wim identification data for the person. The door 
provides the desired access to the protected property 
upon confirming that the transmitted numerical value is 
the same as one previously provided by the person dur- 
ing a registration procedure. 

[OO08] The apparatus of the invention may furtner 
include a receiver, for receiving an encryption key gen- 
erated by and transmitted from the door, and means tar 
storing a private encryption key in the portable device. 
Further, the encryption logic in the device indudes 
means for doubly encrypting the numerical value using 
the encryption key received from the door and the pn- 
vate encryption key. 

[0009] The apparatus of the invention may also be 
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defined as a portable fob that includes a sensor, for 
reading fingerprint data identifying a user seeking 
accgss to a protected property: a memory for storing a 
reference fngerprint image of the user during an enroll- 
ment procedure and for holding the reference image for £ 
future use; an image correlator, for comparing the 
stored reference image with a fingerprint image of the 
user seeking access, as obtained from the sensor, and 
for determining whether file two images match; and 
means for securely communicating identity confirmation io 
to a door that provides access to the protected property 
upon receipt of the identity confirmation. More specifi- 
cally, the means for securely communicating identity 
confirmation includes means for generating a numerical 
value from the stored reference fingerprint image; is 
encryption logic, for encrypting the numerical value; and 
a transmitter for ©ending the encrypted numerical value . 
to the door, together with user identification data. The 
door provides the desired access to the protected prop- 
erty upon confirming that the transmitted numerical so 
value is the same as one previously provided by the 
user during a registration procedure. 
[001 0] In the personal identification fob as defined in 
the previous paragraph, foe means for generating a 
numerical value includes means for generating a cyclic 2s 
redundancy code from the stored reference fingerprint 
image The fob further includes a receiver, for receiving 
an encryption key generated by and transmitted from 
the door; and means for storing a private encryption key 
in the fob. The encryption logic in the fob includes so 
means for doubly encrypting the numerical value using 
the encryption key received from the door and the pri- 
vate encryption key. 

[00111 In terms of a novel method, the invention com- 
prises the steps of sensing biometric data of a user, 35 
through a sensor that is part of a personal identification 
device earned by the user; comparing the sensed bio- 
metric data with reference biometric data previously 
stored in the personal identification device; determining 
whether the sensed biometric data match the reference *o 
biometrfc data; H there is a match, securely communi- 
cating an identity confirmation to a door that controls 
access to the protected property; and upon confirma- 
tion of the identity of the user at the door, actuating a 
device that provides the desired access. The method *s 
further comprises the step of initiating normal operation 
of the personal identification device by means of a man- 
ual switch, 

[Out 21 In one embodiment of the method, there are 
optional steps of receiving a "wake-up" message from so 
the door on approaching it to seek access; and initiating 
normal operation of the personal identification device on 
receiving the "wake-up" massage. The step of securely 
wjirimunicating includes generating a numerical value 
from the stored reference biometric data; encrypting the 55 
numerical value; transmitting the encrypted numerical 
value to the door; transmitting user identification data to 
the door receiving and decrypting the encrypted 
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numerical value at the door; comparing the decrypted 
numerical value with one previously stored at the door 
by the user during a registration process* to confirm the 
identity of the user; and if the identity of the user is con- 
firmed, activating a desired function to provide access 
to the protected property. 

[001 3] More specifically, the step of securely commu- 
nicating further comprises the steps of generating at the 
door a random pair of door public and private encryption 
keys; transmitting the door public key to the personal 
identification device; selecting for the personal identifi- 
cation device a pair of pubQc and private encryption 
keys for all subsequent uses of the device; providing the 
personal identification device public key to the door as 
part of the door registration process; and storing the 
personal identification device private key secretly in the 
device. The encrypting step Includes doubly encrypting 
the numerical value with the door public key and the 
personal identification device private key. The method 
further includes the step, performed at the door, of 
decrypting the doubly encrypted numerical value using 
the personal Identification device public key and the 
door private key. 

[0014] It will be appreciated from the foregoing that 
the present invention represents a significant advance 
in providing secure access to buildings, vehicles, com- 
puters, or any other protected property. More particu- 
larly, the invention allows multiple properties or assets 
to be accessed using a single security device, which 
reliably identifies its owner using biometric data, such 
as a fingerprint Because identification is verified in a 
small portable device, communication with multiple 
"doors'' to protected property can be limited to a simple 
identity confirmation message, appropriately encrypted 
to prevent eavesdropping or reverse engineering. Other 
aspects and advantages of the Invention will become 
apparent from the tallowing more detailed description, 
taken In conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[00151 

FIG. 1 1s a cfiagjam illustrating an application of the 
invention, wherein a portable device is used to open 
a door to a protected property located nearby; 
RQ. 2 is a block diagram depicting the principal 
components of the present invention; 
FIG. 3 is a more detailed block diagram showing ihe 
components of a processor module shown in FIG. 
2; and" 

FIGL 4 is a block diagram showing a sequence of 
signals transmitted between the portable device 
and a door to protected property^ 
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DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

[001 6] As shown in the drawings for purposes of illus- 
tration, the present invention pertains to a system for 
automatic verif ication of the identity of a person seeking 
access to protected property. Traditionally, property has 
been protected by mechanical locks and keys, or by 
combination locks or electronic devices requiring the 
memorization of combinations, passwords and personal 
identification numbers (PlNs). 
[001 7] In accordance with the present invention, the 
person seeking access to protected property carries a 
portable device that includes a sensor capable of 
obtaining selected biometric measurements associated 
wiffi the person, and communicating with a related 
device located near the "door" of the protected property. 
Preferably, the portable device also includes identity 
verification means, which compares the biometric 
measurements obtained from the sensor with corre- 
sponding measurements stored in a reference set of 
biometric measurements that were obtained from the 
same person during an enrollment procedure per- 
formed earlier. . 
[001 8] FIG. 1 shows diagrammaticalry how the inven- 
tion is used to open a "door," indicated by reference 
numeral 10, to protected property. A person 12 eeeking 
entry to the door 1 0 carries a sman handheld device 14. 
which may take the form of a fob- The fob 1 4 communi- 
cates with a receiver 15 located near the door 10. In the 
presently preferred embodiment of the invention, the fob 
14 or similar portable device includes a biometric sen- 
sor, which, in the presently preferred eritbodiment of the 
Invention, is a fingerprint sensor 16. It wW be under- 
stood however, that the principles of the invention are 
also applicable to a device that employs other biometric 
* properties to identify the user 12. such as print patterns 
from other parts of the anatomy, or ins patterns of the 
eye. 

[0019] When the user 1 2 places a finger over the sen- 
sor 16 and actuates a switch, the person's fingerprint is 
scanned and Is compared with a reference fingerprint 
Image stored in the feb 14, which includes a fingerprint 
correlator for this purpose, If the comparison results in a 
match, the fob 1 4 transmits a confirming message to the 
door 10. which is opened to allow access by the user 
12. 



[0020] The nature of the confirming message sent to 
the door 10 ie of considerable importance, because a 
simple "OK" or "open" signal in a standardized format 
would be easy to duplicate in a "doning" process, and 
unauthorized access would be a relatively simple mat* 
ter The confirming message should ideally be In the 
same format for different access "doors, - but should be 
encoded or encrypted in a way that prevents its duplica- 
tion and prevents reverse engineering of the fob 14. 
Details of one technique for accomplishing these goals 
are provided below. 



[0021] FIG. 2 shows the principal components of the 
fob 14, including the fingerprint sensor 16, a processor 
module 20, a transceiver 22 and a battery power supply 
24. The finger print sensor 16 may be of any available 

5 design, and may include a capacitive or optical sensor. 
The sensor 16 produces a binary or grayscale image of 
a portion of the user's fingerprint. For rapid processing, 
the entire image may not be used in the comparison 
process that follows, but what the sensor 1 6 provides is 

w a detailed "map' of the thgerprint including all of Its 
ridges and valleys. The processor module 20 is shown 
in moredetailinFia 3. 

[0022] The processor module 20 includes aprocessor 
26. which may be, for example a RISC (reduced instruc- 
ts tion set computer) processor, a fingerprint matcher, 
which Is a feature correlator 28 in the preferred embod- 
iment of ihe invention, a cyclic redundancy code (CRC) 
generator 30. storage 32 for a reference fingerprint 
image, encryption logic 34 and storage 36 tor a private 
so encryption key. The fob 14 also includes a user Interface 
38 through which the user 12 initiates operation in vari- 
ous modes. Basically, the user interface 38 includes one 
main operating button, which may be incorporated into 
the fingerprint sensor 16. and at least one additional 
26 button to initiate operation in the enrollment mode. The 
principal function of the RISC processor 26 is to pre- 
process and enhance the fingerprint image provided by 
the sensor 16. Pre-processing Includes "cleaning" the 
image, cropping the image to eliminate background 
30 effects, enhancing contrast in the image, and converting 
the image to a more manageable binary form In the 
enrollment mode, the pre-processed image is stored in 
the reference image storage area 32, as indicated by 
the broken One 40. Enrollment is performed when the 
35 user first acquires the fob 14. and Is norrnaJry not 
repeated unless the fob is lost or damaged. For addi- 
tional security and convenience, the user may be asked 
to enroll two fingerprints, to allow for continued access if 
the user injures a finger, for example. In a verification 
40 mode of operation, the pre-processed fingerprint image 
is Input to the correlator 28. as indicated by line 43, 
where it is compared with the reference image obtained 
from storage 32 over Hue 44. The correlator 28 uses an 
appropriate technique to compare the images, depend- 
45 ing on the level of security desired. Because speed of 
operation is an important factor, a bit-by-bit comparison 
of the entire images is usually not performed. Rather. 
Gigniffoant features of the reference image are identified 
and the same features are looked far in the newly 
50 scanned image. The techniques disclosed in US. Pat- 
ent NO 5,067,162 may, for example, be Incorporated 
into the correlator 28 for some applications of the fob 14. 
Preferably, the fingerprint correlator 28 should follow the 
teachings of a co-pending patent application entitled 
55 -Rngerprint Feature Correlator; by ir^entors Bruce W. 
Evans et aL which is hereby incorporated by reference 
into this specification. As a result of the comparison of 
the images, the correlator 28 may generate a match sig- 
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nal on line 46, which activates the CRC generator 30. if 
a no-match signal is generated, as indicated on line 46, 
no further processing is performed. Optionally, the re- 
match signal on line 48 may be used to actuate an indi- 
cator on the user interface 38. 
[0023] The cycOc redundancy code (CftC) generator 
30, when actuated by a match signal on line 46, gener- 
ates a relatively long (such as 128 bits) binary number 
derived from the reference image data. "The CRC pro- 
vides a single number that for all practical purposes, 
uniquely identifies the stored reference fingerpnnt 
image. Even if two fingerprint images produced the 
same CRC. which is highly unlikely, the security of the 
system of the invention would not be compromised* as 
will shortly become dear. 

[0024] The CRC itself is not stored in the fob 14, but is 
transmitted In encrypted form to the door receiver 15. 
Before using the fob 14 for -access to a particular door 
10 for the first time, the user 12 must First "register at 
the door. The registration process is one in which an 
administrator of the door stores the user's name (or 
account number, or other identifying information), in 
association with a public encryption key to be used m 
the user's fob 14, and the user's CRC as derived from 
the user's reference fingerprint If the door 10 provides 
access to a financial institution, for example, the user 
will register by bringing hts or her fob 14 to the institu- 
tion and transmitting the fingerprint CRC from the fob to 
the door receiver 15. In the registration mode, the door 
receiver 1 5 wiK store the user's CRC in association with 
the users name or other identifying information. As part 
of the registration process, the user 12 will normally be 
required to present some form of identification other 
than the fob 14. to prove to the institution that the user 
is in feet the one whose name or other identifying infor- 
mation is presented and will be stored in the door 10. 
[0025] Trie registration process tor access to more 
personal properties, such as one's aufcmM is much 
simpler, but the user* name or ether rientrfying infor- 
mation is still stored in the door in association with the 
CRC and the fob public encryption key. Even personal 
properties, such as automobiles, should have the capa- 
bility to store several different sets of personal informa- 
tion, for use by multiple family members, for example. 
As will now be explained in more detail, in a sii^equent 
use of the fob 1 4 for access to a door 1 0 at which the 
user has registered, the fob transmits a user name and 
the CRC corresponding to the stored reference image. 
Logic at the door 10 then compares the received CRO 
with the one that was stored for the named user during 
registration, ff there is a match, the door is opened for 

the user. , 
[002B] FIG. A shews the communications that pass 
between the fob 14 or other personal idenWicaton 
device and a door 10. four different forms of which are 
. shewn, including a car door 10.1. a buMing door 10.2, 
an automatic teller machine (ATM) 10.3. and a compu- 
ter 10 .4. Each door 10 has an actuator 50. to perform 



some desired operation, such as opening the door, and 
each dooralso has a database 52 in which is stored the 
user name, the user fob public encryption key and the 
user CRC, for each user registered to use the door. 
5 [0027] When the user actuates the fob 1 4, the user 
name is transmitted to the door 10 In non-encrypted 
form, as indicated by line 54. Optionally, this step may 
be triggered automatically as the user approaches the 
door 10. As indicated by line 56, the door 10 may trans- 
w mrta "wake-up" call that is received by an approaching 
fob 14. which then transmits the user name. 
[00281 On receiving the user name, the door 10 gen- 
erates a random pair of public and private encryption 
keys to be used in the ensuing exchange of messages. 
1$ Since public key encryption is used in this illustrative 
embodiment of the invention, a few words of explanation 
are'called for. but it will be understood that the principles 
of public key encryption are well understood in the field 
of secure communication. 
so [0029] In public key encryption, two separate encryp- 
tion keys are used: a "public" key (potentially known to 
everyone and not kept secret), and a private" key 
(known to only one party in a communication from one 
party to another). The pair of public-private keys has the 
as property that if either of them is used to encrypt a mes- 
sage, the other one of the pair will decrypt the message. 
For example, party A can send a secure message to 
party B by first encrypting with B's public key. Only B 
can decrypt the message, because only B has B's pn- 
30 vate key needed for decryption. Similarly. B could send 
an encrypted message to A using B's private ««y Jor 
encryption. A could decrypt the message with Bs public 
key, but so could anyone else, because B's pubfic key 
maybe known to others. Therefore, the message trane- 
35 mitted using this "backward" form of public key encryp- 
tion would notbe secure. 

[00301 The illustrative embodiment of the present 
invention uses a double encryption form of pub!* ^ 
encryption. Both the fob 14 and the door 10 have a put^ 
40 nc-prrvale key pair. As presently contemplated, the fob 
14 of the invention will have a "fixed" public and private 
key pair, that ts to say the publlo and private keys wll not 
changed from one use of the fob to the next The fob 
pubBc key is registered with each door 10 end it would 
43 be irnpiacfical to change it for every use. The fob private 
key isstored (at 3B, FIG. 3) in the fob 14, preferably m a 
form in which it cannot be discerned by inspection or 
reverse engineering- The key may. for example, be 
encoded into the silicon structure of the processor mod- 
so ule 20 in such a way that it is practically indeclinable 
by any normal .reverse engineering technique. Each 
door 10 generates a new puhfic^xivate key pair on 
every new use of the door. Thus, these keys cannot be 
determined in advance of the actual message exchange 
ss withafobU. 

[0031] Upon receipt of a user name from the fob i *. 
the door 10 to which access is sought generates a ran- 
dom pair of public-private keys, and transmits the public 
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key to the fob without encryption, as indicated by line 
5& Then, rf the fob 14 has validated the user's identifi- 
cation by successfully matching the sensed fingerprint 
image with the reference image, the fob performs two 
levels of encryption on the CRC thatis generated. First 
the encryption logic 34 in the fob 14 encrypts the CRC 
using the door's public key. Then the resulting encrypted 
CRC is doubly encrypted using the fob's private key. 
Trie doubly encrypted CRC is transmftted to the door 
10, where ft is decrypted using the fob's public key and 
then using the door's private key to recover the CRC. 
The door 10 then compares this CRC with the CRC in 
its database 52 associated with the user name seeking 
access to the door. It there is a match, the door 10 sig- 
nals hs actuator 50 to open the door or to perform sortie 
other desired operation. 

[0032] It will be appreciated from this description that 
the Invention provides an extremely secure technique 
for accessing protected property. The fob 1 4 is designed 
such that is cannot initiate a door opening operation 
wifliout first matching the fingerprint of the user with the 
stored reference image. Even if a fob thief successfully 
re-enrolls hfe own fingerprint info the fob, the CRCs 
stored in each of the doors where the rightful user is 
registered would prevent operation of the doors by the 
thief. 

[0033] Someone attempting to fabricate a "cloned" fob 
would not have the fob private key: so the door would be 
unable to decrypt messages from the doned fob. If 
someone were to eavesdrop on a fob transmission and 
try to emulate this message in a subsequent attempt to 
open the same door, tiiis approach would be foiled by 
the door's use of a different set of keys for each transac- 
tion. Therefore, the fob's encrypted message to any 
door will be different on each occasion. 
[0034] An additional level of security may be provided 
by storing the CRC at the door 10 in an internally 
encrypted form, to prevent theft of CRCs from doors. 
[0035] It will be understood from the foregoing that the 
present invention represents a sigmficant advance in 
the field of security devices for limiting access to prop- 
erty. In particular, the invention allows a person to obtain 
access to many different properties using a single hand- 
held device that verifies its owners identity very reliably, 
using unique biometric parameters, such as those 
found in a fingerprint. Moreover, the device of the inven- 
tion is highly resistant to reverse engineeriig, "cloning" 
and other techniques for tampering to obtain access to 
the protected properties. It will also be appreciated that, 
although a specific embodiment of the invention has 
been described in detail for purposes of illustration, var- 
ious modifications may be made without departing from 
the spirit and scope of the invention, which should not 
be limited except as by the appended claims. 

Claims 

1. Apparatus for automatically verifying the identity of 
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a person seeking access to a protected property, 
the apparatus comprising: 

a sensor, for reading biometric data identifying 
a person seeking access to a protected prop- 
erty; 

storage means, for storing reference biometric 
data identifying a person authorized to have 
access to the protected property; 
a correlator, for comparing the stored reference 
biometric data with the biometric data ot the 
person seeking access and determining 
whether they match; and 
means for securely communicating identity 
confirmation to a door that provides access to 
the protected property upon receipt of the iden- 
tity confirmation. 

2, Apparatus as defined in claim 1. and further com- 
prising: 

a user interface having a first switch to initiate 
operation Of the apparatus in a verification 
mode, and a second switch, actuation of which 
places the apparatus in an enroll mode of oper- 
ation, wherein biometric data from the sensor 
are stored in the storage means for subsequent 
retrieval in the verification mode of operation; 
and/or wherein: 

the sensor, the storage means and the correla- 
tor are all contained in a portable devlce. 

3. Apparatus as defined in claim 2, wherein: 

the sensor, the storage means and the correla- 
tor are all contained in a portable fob carried by 
the person; and/or wherein; 
the sensor, the storage means and the correla- 
tor are all contained in a communication device 
remote from the protected property; and/or 
wherein the means for securely communicating 
identity confirmation includes: 
means for generating a numerical value from 
the stored reference biometric data; 
encryption logic, for encrypting the numerical 
value; and 

a communication interface for sending the 
encrypted numerical value to the door, together 
with identification data for the person; 
wherein the door provides the desired access 
to the protected property upon confirming that 
the transmitted numerical value is the same as 
one previously provided by the person during a 
registration procedure: and 
said apparatus preferably further comprising: 
a receiver, for receiving an encryption key Gen- 
erated by and transmitted from the door; and 
means for storing a private encryption key in 
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the portable device; 

and wherein the encryption logic includes 
means for doubly encrypting the numerical 
value using the encryption key received from 
the door and the private encryption Key. 

4. a personal identification fob for automatically verify- 
ing the identity of a user seeking to use the fab for 
access to a protected property, the fab comprising: 

a sensor, for reading fingerprint data identifying 
a user seeking access to a protected property: 
a memory lor storing a reference fingerprint 
image of the user during an enrollment proce- 
dure and for holding the reference image far is 
future use; 

an image correlator, for cornpanng the stored 
reference imaae with a fingerprint image of the 
user seeking access, a* obtained from the sen- 
sor, and for determining whether the two &> 
images match; and 

means tor securely communinafing identity 
confirmation to a door thai provides access to 
the protected property upon receipt of the iden- 
tity confirmation. 

5 A personal identification fob as defined in claim 4. 
wherein the means for securely communicating 
identity confirmation includes: ^ 



means for generating a numerical value from 
the stored reference fingerprint image: 
encryption logic, for encrypting the numerical 

value; and ^ 
a transmitter far sending the encrypted rwrner- ss 
leal value to the door, together with user identi- 
fication data; 

wherein the door provides the desired access 
to the protected property upon confirming that 
the transmitted numerical value is the same as *o 
one previously provided by the user during a 
registration procedure; and 
wherein preferably the means for generating a 
numerical valufe includes means for generating 
a cyclic redirndancy code from the stored refer- 48 
ence fingerprint image; and/or 
said personal Uentiflcation fob preferably fur- 
ther comprises: 

a receiver, for receiving an encryption key gen- 
erated by and traremstted from the door; and so 
means for storing a private encryption key in 

the fob; . 
and wherein the encryption logic includes 
means for doubly encrypting the numerical 
value using fhe encryption key received from ss 
the door and the private encryption key. 

6. A method for automatically verifying fhe identity of a 



user seeking access to a property protected by a 
door, the method comprising the steps of: 

sensing biometric data of a user, through a 
sensor that is part of a personal identification 
device carri ed by the user; 
comparing the sensed biometric data with ref- 
erence biometric data previously stored in the 
personal identification device; 
determining whether the sensed biometric data 
match the reference biometric data; 
if there is a match, securely communicating an 
identity confirmation to a door mat controls 
access to the protected property; and 
upon confirmation of the Identity of the user at 
the door, actuating a device that provides the 
desired access* 

7. A mefrod as defined in daim 6, and further com- 
prising the step of: 

•initiating normal operation of the personal iden- 
tification device by means of a manual switch: 
and/or further comprising the steps of: 
receiving a "wake-up" message from the door 
on approaching it to seek access: and 
initiating normal operation of the personal iden- 
tification device on receiving the "wake-up" 
message; and/or 

wherein the step of securely communicating 
includes: 

generating a numerical value from the stored 
reference bfometric data; 
encrypting the numerical value; 
transmitting the encrypted numerical value to 

the door; w , 

transmitting user Identification data to the door; 
receiving and decrypting the encrypted numer- 
ical value, at the door; 

comparing the decrypted numerical value with 
one previously stored at the dopr by the user 
during a registration process, to confirm the 
identity of the user; and 
if the Identity of the user is confVrned. activating 
a desired function to provide access to the pro- 
tected property; and 

wherein the step of securely communicating 
preferably further comprises: 
generating at the door a random pair of door 
public and private encryption keys; 
transmitting the door public key to the personal 
identification device; 

selecting for the personal identification device a 
pair of public an private encryption keys for all 
subsequent uses of the device; 
providing the personal identification device 
public toy to the door as part of me door regis- 
tration process; and 
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storing the personal identification device pri- 
vate key secretly fn the device: 
and wherein the encrpyting step includes dou- 
bly encrypting the numerical value with the 
door public key and the personal identification 5 
device private key: and 

wherein door preferably performs the additional 
step of: decrypting the doubly encrypted 
numerical value using the persona] identifica- 
tion device public key and the door private key, to 

a. A method for a user to obtain access to property 
protected by a normally locked door, the method 
including the steps ot 

15 

placing a finger on a fingerprint sensor in a fob 
while approaching a door: 
actuating the fob to sense and record a finger- 
print of the user; 

comparting the sensed fingerprint with refer- so 

ence fingerprint data previously stored in the ( 
fob: 

upon a successful comparison, transmitting an 
identity confirmafion from the fob to the door 
thai protects the property; and 2S 
unlocking the door upon receipt of an identity 
confirmafion. 

9. A method as defined In claim 8, wherein the step of 
transmitting and identity confirmation includes: 30 

encrypting the Identity confirmation in the fob: 
and 

decrypting the identity confirmation at the door. 
- 1 (L A method as defined in claim 9, wherein: 

the step of encrypting includes doubly encrypt* 
frig; and 

the step of decrypting includes doubly decrypt- 4° , 
lng;and 

wherein the step of doubly encrypting prefera- 
bly includes first encrypting the identity confir- 
mation using a public door encryption key 
generated in and received from the door and 43 
then further encrypting using a private fob 
encryption key stored in the fob; and 
the step of doubly decrypting includes first 
decrypting using a public fob encryption key 
provided by the user on prior registration at the so 
door and then decrypting using a private door 
encryption key generated in the door. 
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PROCESSOR MODULE, 
INCLUDING: 
• PROCESSOR (E.G. RISC). 
. CORRELATOR. 
. REF. IMAGE STORAGE, 
. CYCLIC REDUNDANCY 
CODE GENERATOR. 
. PRIVATE KEY STORAGE, 
- ENCRYPTION LOGIC. 
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(54) Personal identification FOB 

(57) Apparatus, and a method for its use, for auto- 
matically verifying the identity of a person seeking ac- 
cess to a protected properly, such as a car, room, build- 
ing or automatic teller machine. The apparatus, which 
is disclosed in the form of a handheld fob (14), includes 
a sensor (16) for reading biometric data, such as a fin- 
gerprint image, from the person (12), and a correlator 
(2B) for comparing the sensed data with a previously 
stored reference image (32) and for determining wheth- 
er there Is a match. If there is a match, the fob (14) Ini- 
tiates an exchange of signals with the *door" (10) that 
protects the property. Specifically, the fob (14) gener- 
ates a numerical value, such as a cyclic redundancy 
code, from the stored reference image (32), encrypts the 
numerical value, and transmits it to the door (10) as con- 
firmation of the person's Identity. Forf urther security, the 
person (12) registers this numerical value at each door 
(1 0) to which access is desired. Upon receipt of identity 
confirmation from the fob (14), the door (1 0) compares 
the received numerical value with the one stored during 
registration, before granting access. 
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